Remember MacDefender, the fake antivirus program that seemed to pop into the …

Share this story

A recent raid by Russian police has revealed evidence that a company called ChronoPay is indeed behind the Mac OS X scareware program MacDefender, despite the company's earlier denials. But while the raid and the arrest of ChronoPay's CEO may put a dent in the company's profits, it's unlikely that MacDefender or its variants will disappear just yet.

When MacDefender first hit the scene, it was called MAC Defender, and it seemed to show up on Mac users' machines after those users followed poisoned Google Image search results. Unlike many scareware apps for Windows, however, this one was actually designed to look like it was made for a Mac, and it claimed to be able to rid the user of viruses—if only he or she would hand over a credit card number. The viruses were, of course, fake; instead, the app was merely collecting payment information so that scammers could abuse the credit cards at a later date.

When we conducted our own investigation into MacDefender, we discovered that it wasn't taking over the Mac world like some had predicted, but the scareware app had made its way into the general population to some degree. Apple soon began combating MacDefender on the OS level, and there hasn't been much news about the malware/scareware since.

But as it turns out, whoever was behind MacDefender continued chugging along, raking in money from unsuspecting Mac users until Russian law enforcement descended on the ChronoPay office in late July, as noted by Forbes Russia. And when police searched ChronoPay's office, they found "mountains of evidence" that ChronoPay employees were doing tech and customer support for MacDefender and a plethora of other fake antivirus programs, according to former Washington Post reporter and current security expert Brian Krebs.

One such piece of evidence was a support document that shows the website credentials and call records for various fake antivirus programs—MS Removal Tool, Clean This, MacDefender, and Marketplace Billing. This is despite ChronoPay's statement issued in May claiming that the company was "not involved with MacDefender in anyway, not [sic] are we involved with any virus production as has been alleged."

Krebs notes that while the raid may slow down ChronoPay and its ilk from seeding fake antivirus software onto the Internet, the industry is far too profitable for scammers to stay away for long. "Given fake AV’s status as a reliable cash cow, the industry is likely to bounce back rapidly," Krebs wrote.

Share this story

Jacqui Cheng
Jacqui is an Editor at Large at Ars Technica, where she has spent the last eight years writing about Apple culture, gadgets, social networking, privacy, and more. Emailjacqui@arstechnica.com//Twitter@eJacqui